As computers have become prevalent in schools and the workplace, users are assigned passwords to gain access to an organization's computerized resources. Passwords are required for users to log on to the network, retrieve e-mail, access restricted information and use restricted applications. Rather than requiring users to remember multiple passwords, many organizations use a password manager program that assigns to each user a single password used for accessing all of the organization's computerized resources.
In order to provide a higher level of security, password manager programs often assign strong passwords. Strong passwords generally comprise at least eight randomly generated characters that include a combination of letters and numbers and sometimes include other special characters. To further enhance security, passwords may change at regular intervals. Because randomly generated strong passwords do not spell out a word, phrase, or date, randomly generated strong passwords are often difficult for users to remember. Frequent password changes increase the difficulty users have remembering passwords. Thus, organizations provide a mechanism for users to retrieve or reset their forgotten passwords. Often, automated mechanisms for retrieving and resetting passwords alleviate the need for live technical support.
One known automated mechanism for retrieving or resetting forgotten passwords utilizes an interactive World Wide Web interface, a user identification, and a predefined challenge phrase. The user provides a user identification and then responds to a prompt for a predefined challenge phrase. The predefined challenge phrase is an easy to remember phrase previously provided by the user such as the name of a pet, the make of a first car, or the maiden name of the user's mother. After the user responds correctly, the password is sent to the user via e-mail. There are two drawbacks to a system using a predefined challenge phrase. First, the challenge phrase can be known to persons close to the user. Second, receiving an e-mail with the password is impractical if the user cannot access e-mail without the forgotten password. To overcome the problem of not being able to access e-mail to retrieve a password when the user has forgotten the password, live or automated operators are often employed by telephone systems to administer the challenge phrase or other identity authentication and to provide the password.
Another automated mechanism for retrieving or resetting forgotten passwords via a telephone system uses a second, easy to remember password or Personal Identification Number (“PIN”) to authenticate the user's identity. There are drawbacks to using a PIN because the PIN never expires, the PIN may get copied down, or the PIN may be used in multiple places. As with challenge phrases, these shorter, less secure passwords have a high risk of discovery by others and weaken the higher level of security provided by the strong password.
One known solution to overcome the limitations encountered when using challenge phrases and secondary passwords for user authentication is voice biometric verification. Voice biometric verification systems use a person's individual speech patterns, called a voice fingerprint, to authenticate identity. Voice biometric verification systems have certain limitations. Bad connections or interference caused by long distance, cellular calls and voice over Internet protocol (“VoIP”) phone systems make voice biometric verification unreliable. Moreover, voice biometric verification may improperly grant access to a caller other than the user, if the caller uses a voice recording of the user. Because of these problems, security experts question the efficacy of voice biometrics over the telephone.
All security systems seek a balance between a risk of false acceptance and a risk of false rejection. If a security threshold is too stringent, there exists a risk of false rejection which frustrates authorized users who cannot access the secured resources. If the security threshold is too lax, there exists a risk of false acceptance which allows unauthorized users access to secured resources. A need exists for an improved automated method of verifying a user's identity for resetting passwords that does not rely on memorized challenge phrases or biometric voice identification, but which provides unique identity authentication questions that are easy for an authorized user to answer, and difficult for an unauthorized user to answer.